Skip to content

Commit dcb3fb7

Browse files
soedirgosoedirgo
committed
tmp
1 parent 2919880 commit dcb3fb7

File tree

1 file changed

+140
-2
lines changed

1 file changed

+140
-2
lines changed

nix/ext/001-new-vault.patch

Lines changed: 140 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1116,6 +1116,135 @@ index ee40004..8973fe0 100644
11161116

11171117
COMMENT ON TABLE vault.secrets IS 'Table with encrypted `secret` column for storing sensitive information on disk.';
11181118

1119+
diff --git a/sql/supabase_vault--0.3.0.sql b/sql/supabase_vault--0.3.0.sql
1120+
new file mode 100644
1121+
index 0000000..125168f
1122+
--- /dev/null
1123+
+++ b/sql/supabase_vault--0.3.0.sql
1124+
@@ -0,0 +1,123 @@
1125+
+CREATE OR REPLACE FUNCTION vault._crypto_aead_det_encrypt(message bytea, additional bytea, key_id bigint, context bytea = 'pgsodium', nonce bytea = NULL)
1126+
+RETURNS bytea
1127+
+AS 'MODULE_PATHNAME', 'pgsodium_crypto_aead_det_encrypt_by_id'
1128+
+LANGUAGE c IMMUTABLE;
1129+
+
1130+
+CREATE OR REPLACE FUNCTION vault._crypto_aead_det_decrypt(message bytea, additional bytea, key_id bigint, context bytea = 'pgsodium', nonce bytea = NULL)
1131+
+RETURNS bytea
1132+
+AS 'MODULE_PATHNAME', 'pgsodium_crypto_aead_det_decrypt_by_id'
1133+
+LANGUAGE c IMMUTABLE;
1134+
+
1135+
+CREATE OR REPLACE FUNCTION vault._crypto_aead_det_noncegen()
1136+
+RETURNS bytea
1137+
+AS 'MODULE_PATHNAME', 'pgsodium_crypto_aead_det_noncegen'
1138+
+LANGUAGE c IMMUTABLE;
1139+
+
1140+
+CREATE TABLE vault.secrets (
1141+
+ id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
1142+
+ name text,
1143+
+ description text NOT NULL default '',
1144+
+ secret text NOT NULL,
1145+
+ key_id uuid,
1146+
+ nonce bytea DEFAULT vault._crypto_aead_det_noncegen(),
1147+
+ created_at timestamptz NOT NULL DEFAULT CURRENT_TIMESTAMP,
1148+
+ updated_at timestamptz NOT NULL DEFAULT CURRENT_TIMESTAMP
1149+
+);
1150+
+
1151+
+COMMENT ON TABLE vault.secrets IS 'Table with encrypted `secret` column for storing sensitive information on disk.';
1152+
+
1153+
+CREATE UNIQUE INDEX ON vault.secrets USING btree (name) WHERE name IS NOT NULL;
1154+
+
1155+
+DROP VIEW IF EXISTS vault.decrypted_secrets;
1156+
+CREATE VIEW vault.decrypted_secrets AS
1157+
+SELECT s.id,
1158+
+ s.name,
1159+
+ s.description,
1160+
+ s.secret,
1161+
+ convert_from(
1162+
+ vault._crypto_aead_det_decrypt(
1163+
+ message := decode(s.secret, 'base64'::text),
1164+
+ additional := convert_to(s.id || s.description || s.created_at at time zone 'utc' || s.updated_at at time zone 'utc', 'utf8'),
1165+
+ key_id := 0,
1166+
+ context := 'pgsodium'::bytea,
1167+
+ nonce := s.nonce
1168+
+ ),
1169+
+ 'utf8'::name
1170+
+ ) AS decrypted_secret,
1171+
+ s.key_id,
1172+
+ s.nonce,
1173+
+ s.created_at,
1174+
+ s.updated_at
1175+
+FROM vault.secrets s;
1176+
+
1177+
+GRANT ALL ON SCHEMA vault TO pgsodium_keyiduser;
1178+
+GRANT ALL ON TABLE vault.secrets TO pgsodium_keyiduser;
1179+
+GRANT ALL ON vault.decrypted_secrets TO pgsodium_keyiduser;
1180+
+
1181+
+CREATE OR REPLACE FUNCTION vault.create_secret(
1182+
+ new_secret text,
1183+
+ new_name text = NULL,
1184+
+ new_description text = '',
1185+
+ -- unused
1186+
+ new_key_id uuid = NULL
1187+
+)
1188+
+RETURNS uuid
1189+
+LANGUAGE plpgsql
1190+
+SET search_path = ''
1191+
+AS $$
1192+
+DECLARE
1193+
+ rec record;
1194+
+BEGIN
1195+
+ INSERT INTO vault.secrets (secret, name, description)
1196+
+ VALUES (
1197+
+ new_secret,
1198+
+ new_name,
1199+
+ new_description
1200+
+ )
1201+
+ RETURNING * INTO rec;
1202+
+ UPDATE vault.secrets s
1203+
+ SET secret = encode(vault._crypto_aead_det_encrypt(
1204+
+ message := convert_to(rec.secret, 'utf8'),
1205+
+ additional := convert_to(s.id || s.description || s.created_at at time zone 'utc' || s.updated_at at time zone 'utc', 'utf8'),
1206+
+ key_id := 0,
1207+
+ context := 'pgsodium'::bytea,
1208+
+ nonce := rec.nonce
1209+
+ ), 'base64')
1210+
+ WHERE id = rec.id;
1211+
+ RETURN rec.id;
1212+
+END
1213+
+$$;
1214+
+
1215+
+CREATE OR REPLACE FUNCTION vault.update_secret(
1216+
+ secret_id uuid,
1217+
+ new_secret text = NULL,
1218+
+ new_name text = NULL,
1219+
+ new_description text = NULL,
1220+
+ -- unused
1221+
+ new_key_id uuid = NULL
1222+
+)
1223+
+RETURNS void
1224+
+LANGUAGE plpgsql
1225+
+SET search_path = ''
1226+
+AS $$
1227+
+DECLARE
1228+
+ decrypted_secret text := (SELECT decrypted_secret FROM vault.decrypted_secrets WHERE id = secret_id);
1229+
+BEGIN
1230+
+ UPDATE vault.secrets s
1231+
+ SET
1232+
+ secret = CASE WHEN new_secret IS NULL THEN s.secret
1233+
+ ELSE encode(vault._crypto_aead_det_encrypt(
1234+
+ message := convert_to(new_secret, 'utf8'),
1235+
+ additional := convert_to(s.id || coalesce(new_description, s.description) || (s.created_at at time zone 'utc') || (now() at time zone 'utc'), 'utf8'),
1236+
+ key_id := 0,
1237+
+ context := 'pgsodium'::bytea,
1238+
+ nonce := s.nonce
1239+
+ ), 'base64') END,
1240+
+ name = coalesce(new_name, s.name),
1241+
+ description = coalesce(new_description, s.description),
1242+
+ updated_at = now()
1243+
+ WHERE s.id = secret_id;
1244+
+END
1245+
+$$;
1246+
+
1247+
+SELECT pg_catalog.pg_extension_config_dump('vault.secrets', '');
11191248
diff --git a/src/crypto_aead_det_xchacha20.c b/src/crypto_aead_det_xchacha20.c
11201249
new file mode 100644
11211250
index 0000000..8b7df0e
@@ -1971,12 +2100,21 @@ index 0000000..28abe9b
19712100
+
19722101
diff --git a/test/fixtures.sql b/test/fixtures.sql
19732102
new file mode 100644
1974-
index 0000000..82e3d49
2103+
index 0000000..b323d22
19752104
--- /dev/null
19762105
+++ b/test/fixtures.sql
1977-
@@ -0,0 +1,6 @@
2106+
@@ -0,0 +1,15 @@
19782107
+CREATE ROLE bob login password 'bob';
19792108
+
2109+
+CREATE ROLE pgsodium_keyiduser WITH
2110+
+ NOLOGIN
2111+
+ NOSUPERUSER
2112+
+ NOCREATEDB
2113+
+ NOCREATEROLE
2114+
+ INHERIT
2115+
+ NOREPLICATION
2116+
+ CONNECTION LIMIT -1;
2117+
+
19802118
+CREATE EXTENSION IF NOT EXISTS pgtap;
19812119
+CREATE EXTENSION supabase_vault CASCADE;
19822120
+

0 commit comments

Comments
 (0)